It's not just your PC or your phone that's a potential cybersecurity risk these days, as Google's recent work uncovering an internet-of-things botnet proves. Researchers working in collaboration with Human Security and Trend Micro revealed the interestingly-named Badbox 2.0 botnet earlier this month, and now Google has confirmed it's beginning legal action against its perpetrators.
After Google and Human's work uncovering the botnet, the FBI released a public service announcement warning of its capabilities:
"Cyber criminals gain unauthorized access to home networks through compromised IoT devices, such as TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames and other products. Most of the infected devices were manufactured in China.
"Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the user's purchase, or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process.
"Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BadBox 2.0 botnet and residential proxy services known to be used for malicious activity."
The malicious activities in question, according to Human Security, include programmatic ad fraud, click fraud, and the activation of residential proxy services that facilitate all sorts other cybercrimes, including potential account takeovers, fake account creations, DDoS attacks, malware distribution, and password theft.
Phew. That's quite the laundry list of unwanted device behaviour. Human's research suggests the scheme impacted more than 1 million consumer devices, but Google's blog post says that figure is actually more like 10 million+ uncertified devices, all of which run Android's open-source software.
Thankfully, Google has since deployed its Ad Traffic Quality team (Avengers, assemble) to update Google Play Protect, which the company says now automatically blocks BadBox-associated apps, and has filed a lawsuit in New York federal court against the botnet's threat actors, who remain unnamed.
"While these actions kept our users and partners safe, this lawsuit enables us to further dismantle the criminal operation behind the botnet, cutting off their ability to commit more crime and fraud."
The attack is believed to have been centred on low-cost, "off-brand" devices, so if you've picked up a bargain IoT device recently I'd be a little wary of it, even if Google appears to have closed the loop on this particular scheme. IoT devices can be expensive, and it's tempting to buy cheaper models to save a bit of cash—but as this investigation shows, the potential drawbacks to your home's precious cybersecurity status may not be worth the risk.
